Panoptic Enterprises' FEDERAL CONTRACTS DISPATCH
DATE: May 23, 2003
SUBJECT: Defense Federal Acquisition Regulation Supplement (DFARS); Information Assurance
SOURCE: Federal Register, May 23, 2003, Vol. 68, No. 100, page 28187
AGENCIES: Department of Defense (DOD)
ACTION: Proposed Rule
SYNOPSIS: DOD is proposing to revise DFARS Subpart 239.71, Security and Privacy for Computer Systems, to address requirements for information assurance in the acquisition of information technology. The rule would implement policy issued by the National Security Telecommunications and Information Systems Security Committee.
DATES: Comments on the proposed rule must be submitted on or before July 22, 2003.
ADDRESSES: Respondents may submit comments directly on the web site at http://emissary.acq.osd.mil/dar/dfars.nsf/pubcomm. As an alternative, respondents may e-mail comments to: firstname.lastname@example.org. Also, respondents who cannot submit comments through the web site or by e-mail may submit comments to Defense Acquisition Regulations Council, Attn: Susan Schneider, OUSD(AT&L)DP(DAR), IMD 3C132, 3062 Defense Pentagon, Washington, DC 20301-3062, or by fax to 703-602-0350. Cite "DFARS Case 2002-D020" when making comments on this proposed rule.
FOR FURTHER INFORMATION CONTACT: Angelena Moy, 703-602-1302.
SUPPLEMENTAL INFORMATION: In July 1990, the National Security Telecommunications and Information Systems Security Committee (NSTISSC) was established for the purpose of developing and promulgating national policies applicable to the security of national security telecommunications and information systems. In January 2000, NSTISSC issued Policy No. 11, which addresses the national policy governing the acquisition of information assurance and information assurance-enabled information technology products. Policy No. 11 states that information assurance shall be considered as a requirement for all systems used to enter, process, store, display, or transmit national security information. DoD has issued DoD Directive 8500.1, Information Assurance, and DoD Instruction 8500.2, Information Assurance Implementation, to implement Policy No. 11. This proposed rule would revise DFARS Subpart 239.71 and DFARS 252.239-7000, Protection Against Compromising Emanations, to correspond to Policy No. 11.
The following are the most significant changes being proposed:
- Throughout DFARS Subpart 239.71, "information technology" would replace "computer systems," and "information assurance" would replace "security."
- DFARS 239.7101, General, would be revised to add the following sentence: "Information assurance includes the protection of information that is entered, processed, transmitted, stored, retrieved, displayed, or destroyed."
- DFARS 239.7102, Definition, would be added, and it would consist of the following: "Information assurance, as used in this subpart, means measures that protect and defend information and information systems by ensuring their availability, integrity, authentication, confidentiality, and non-repudiation. This includes providing for the restoration of information systems by incorporating protection, detection, and reaction capabilities."
- DFARS 239.7103, Policy and Responsibilities, would replace the current DFARS 239.7102, Security Against Compromising Emanations. Proposed DFARS 239.7103 would consist of two subsections:
- DFARS 239.7103-1, General, which would require that agencies make sure that information assurance is provided for information technology "in accordance with current policies, procedures, and statutes, to include: (1) the National Security Act; (2) the Clinger-Cohen Act; (3) National Security Telecommunications and Information Systems Security Policy No. 11; (4) Federal Information Processing Standards; (5) DoD Directive 8500.1, Information Assurance; and (6) DoD Instruction 8500.2, Information Assurance Implementation" (proposed paragraph (a)).
In addition, the requiring activity would be responsible for providing to the contracting officer: "(1) statements of work, specifications, or statements of objectives that meet information assurance requirements as specified in paragraph (a) of this subsection; (2) inspection and acceptance contract requirements; and (3) a determination as to whether the information technology requires protection against compromising emanations" (proposed paragraph (b)).
- DFARS 239.7103-2, Compromising Emanations -- TEMPEST or Other Standard, which would require, for acquisitions requiring information assurance against compromising emanations, that requiring activities make sure to provide to the contracting officer "(a) the required protections, i.e., an established National TEMPEST standard (e.g., NACSEM 5100, NACSIM 5100A) or a standard used by other authority; (b) the required identification markings to include markings for TEMPEST or other standard, certified equipment (especially if to be reused); and (c) inspection and acceptance requirements addressing the validation of compliance with TEMPEST or other standards."
- DFARS 252.239-7000, Protection Against Compromising Emanations, which would be required in solicitations and contracts involving information technology that requires protection against compromising emanations, would require contractors to provide or use only information technology that has been accredited to meet the appropriate information assurance requirements of the TEMPEST standards or other standards specified in the contract. Upon request of the contracting officer, the contractor would be required to provide documentation supporting the accreditation. The government would have the right to conduct tests to ensure that information technology delivered under the contract satisfies the specified information assurance standards, and these tests may be conducted at the installation site or contractor's facility. The contractor would be required to correct or replace accepted information technology found to be deficient within one year after proper installations, and the correction or replacement would be at no cost to the government.
FOR FURTHER INFORMATION CONTACT: Panoptic Enterprises at 703-451-5953 or by e-mail to Panoptic@FedGovContracts.com.
Copyright 2003 by Panoptic Enterprises. All Rights Reserved.
Return to the Dispatches Library.
Return to the Main Page.